“Don’t Use Amazon Key” – Here’s How Easily It Can Be Exploited

Rogue delivery person can potentially disable your camera and take more than they leave...

Amazon decided to offer consumers some more privacy-killing convenience last month with the launch of Amazon Key. The new service allows couriers to unlock your front door to deliver packages. Convenient if you can’t get out of your couch or if you are out of your home (and several other possible scenarios) however, a major privacy breach. Whether you trust the company enough or not to let it inside your house is one question. Whether Amazon itself trusts people dropping the package off is another concerning question. It appears, it does. But doesn’t mean you should too…

According to the latest research, Amazon Key is already vulnerable to a security disaster – it was a security disaster to begin with, but let’s try to focus on the “convenience” it offers. Amazon Key depends on the Cloud Cam and a smart lock to make this drop possible and only let those strangers enter who scan a barcode that is checked against the package information. This camera also records the drop off to make sure that you – the customer – can monitor that nothing foul happened in your absence.

The problem with Amazon Key – first of many?

Security researchers from Rhino Security Labs (via Wired) have revealed that it is extremely easy to disable the Amazon Cloud Cam – the critical component on which the security of this whole “drop off of the internet age” depends. According to this research, the courier can use a typical DoS attack to launch an easy but devastating attack on the camera, sending a series of commands to kick the camera off the internet.

All the customer of Amazon Key would see is the last image before the attack happened. Thieves can potentially exploit this to rob your house and you probably won’t be able to blame Amazon either. In addition to this camera attack, it also disconnects the door lock. This happens because the Amazon Key lock doesn’t have its own internet connection as it communicates via the Zigbee wireless protocol to the Cloud Cam. This means that more people can let themselves into your house without your knowledge.

The problem is that the issue isn’t with the Cloud Cam itself but how every internet connected device can be taken offline with continued commands. Rhino said that the attacker can send a series of “deauthorization” commands to the Cloud Cam, kicking it off the network. They will need to send this deauth command again and again to keep the camera offline as long as they need. This will essentially freeze the camera on the image of a closed door, during which time the hacker/courier/intruder can reenter the house and move out of the camera’s view and stop sending deauth commands to get the camera back online.

That so-called deauth technique isn’t exactly a software bug in Cloud Cam. It’s an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network. In this case, Rhino’s script sends the command again and again, to keep the camera offline as long as the script is running. Most disturbingly, Amazon’s camera doesn’t respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer – or anyone watching back a recording – the last frame the camera saw when it was connected.

Even if you are monitoring the drop off while it is happening, you won’t detect anything because it will show you that everything went as expected and that the door is locked after the courier leaves, while in reality, they can reenter the apartment without sending any alert to the user. Here’s the proof of concept of this attack.

Amazon has said that it will send an update to Amazon Key next week that will notify consumers when the camera goes off for a longer period of time.

“Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery,” the company spokesperson said. “Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time.”

However, researchers and security experts continue to advise: “Don’t use Amazon Key”.